ApostropheCMS Zip Slip Vulnerability in Import-Export Gzip Extraction Allowing Arbitrary File Write

A path traversal vulnerability has been identified in ApostropheCMS versions prior to 3.5.3, specifically within the '@apostrophecms/import-export' package. The issue arises in the 'extract()' function of 'gzip.js', where file-write paths are created using 'fs.createWriteStream(path.join(exportPath, header.name))'. The 'path.join()' method fails to properly sanitize traversal segments, allowing a tar entry named '../../evil.js' to be extracted outside the intended directory. This vulnerability, a classic Zip Slip issue, enables users with Global Content Modify permission to upload malicious '.tar.gz' files through the CMS import interface, potentially writing harmful content to any accessible path on the host filesystem.

Impact

Exploitation of this vulnerability allows for unauthenticated-equivalent arbitrary file writes. Any file can be written to any location the Node.js process user can access. This has been confirmed to include paths within the CMS process's permissions. Such writes can be leveraged to deface websites, inject malicious assets, create persistent backdoors, overwrite sensitive configuration files, or cause denial-of-service by corrupting critical application files.

Reproduction

To reproduce this vulnerability, upload a crafted '.tar.gz' file through the ApostropheCMS import UI. The file should include a traversal payload that exploits the path traversal vulnerability in the 'extract()' function of the '@apostrophecms/import-export' package. Once the file is imported, the traversed file will be written to a location outside the intended extraction directory, confirming the exploitation of the Zip Slip vulnerability.

Remediation

Users are advised to update to version 3.5.3 of '@apostrophecms/import-export', where this vulnerability has been patched.